Package org.owasp.dependencycheck.maven

Class BaseDependencyCheckMojo

  • All Implemented Interfaces:
    org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo, org.apache.maven.reporting.MavenReport
    Direct Known Subclasses:
    AggregateMojo, CheckMojo, PurgeMojo, UpdateMojo
    public abstract class BaseDependencyCheckMojo
extends org.apache.maven.plugin.AbstractMojo
implements org.apache.maven.reporting.MavenReport
    Author:
    Jeremy Long

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String PROTOCOL_HTTP
      Constant for the HTTP protocol string.
      static java.lang.String PROTOCOL_HTTPS
      Constant for the HTTPS protocol string.

      • Fields inherited from interface org.apache.maven.reporting.MavenReport

        CATEGORY_PROJECT_INFORMATION, CATEGORY_PROJECT_REPORTS, ROLE

      • Fields inherited from interface org.apache.maven.plugin.Mojo

        ROLE

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      protected void checkForFailure​(Dependency[] dependencies)
      Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
      protected java.lang.String createProjectReferenceName​(org.apache.maven.project.MavenProject project, org.apache.maven.shared.dependency.graph.DependencyNode dependencyNode)  
      void execute()
      Executes dependency-check.
      void generate​(org.apache.maven.doxia.sink.Sink sink, java.util.Locale locale)
      Generates the Dependency-Check Site Report.
      protected Filter<java.lang.String> getArtifactScopeExcluded()
      Returns the artifact scope excluded filter.
      java.lang.String getCategoryName()
      Returns the category name.
      protected java.lang.String getConnectionString()
      Returns the connection string.
      protected java.io.File getCorrectOutputDirectory()
      Returns the correct output directory depending on if a site is being executed or not.
      protected java.io.File getCorrectOutputDirectory​(org.apache.maven.project.MavenProject current)
      Returns the correct output directory depending on if a site is being executed or not.
      java.util.List<java.lang.String> getExcludes()
      Returns the list of excluded artifacts based on either artifact id or group id and artifact id.
      java.io.File getOutputDirectory()
      Returns the output directory.
      java.lang.String getOutputName()
      Returns the output name.
      protected org.apache.maven.project.MavenProject getProject()
      Returns a reference to the current project.
      protected java.util.List<org.apache.maven.project.MavenProject> getReactorProjects()
      Returns the list of Maven Projects in this build.
      java.io.File getReportOutputDirectory()
      Returns the report output directory.
      protected Settings getSettings()
      Returns the configured settings.
      protected Engine initializeEngine()
      Initializes a new Engine that can be used for scanning.
      boolean isExternalReport()
      Returns whether this is an external report.
      protected boolean isFailOnError()
      Returns if the mojo should fail the build if an exception occurs.
      protected boolean isGeneratingSite()
      Returns true if the Maven site is being generated.
      org.apache.maven.project.ProjectBuildingRequest newResolveArtifactProjectBuildingRequest​(org.apache.maven.project.MavenProject project, java.util.List<org.apache.maven.artifact.repository.ArtifactRepository> repos)  
      protected void populateSettings()
      Takes the properties supplied and updates the dependency-check settings.
      protected java.util.Set<org.apache.maven.artifact.Artifact> resolveArtifactDependencies​(org.apache.maven.shared.transfer.dependencies.DependableCoordinate artifact, org.apache.maven.project.MavenProject project)  
      protected void runCheck()
      Executes the dependency-check scan and generates the necessary report.
      protected ExceptionCollection scanArtifacts​(org.apache.maven.project.MavenProject project, Engine engine)
      Scans the project's artifacts and adds them to the engine's dependency list.
      protected ExceptionCollection scanArtifacts​(org.apache.maven.project.MavenProject project, Engine engine, boolean aggregate)
      Scans the project's artifacts and adds them to the engine's dependency list.
      protected abstract ExceptionCollection scanDependencies​(Engine engine)
      Scans the dependencies of the projects.
      protected ExceptionCollection scanPlugins​(org.apache.maven.project.MavenProject project, Engine engine, ExceptionCollection exCollection)
      Scans the project's artifacts for plugin-dependencies and adds them to the engine's dependency list.
      protected abstract ExceptionCollection scanPlugins​(Engine engine, ExceptionCollection exCol)
      Scans the plugins of the projects.
      void setReportOutputDirectory​(java.io.File directory)
      Sets the Reporting output directory.
      protected void showSummary​(org.apache.maven.project.MavenProject mp, Dependency[] dependencies)
      Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

      • Methods inherited from class org.apache.maven.plugin.AbstractMojo

        getLog, getPluginContext, setLog, setPluginContext

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface org.apache.maven.reporting.MavenReport

        canGenerateReport, getDescription, getName, getOutputPath

    • Field Detail

      • PROTOCOL_HTTPS

        public static final java.lang.String PROTOCOL_HTTPS
        Constant for the HTTPS protocol string.
        See Also:
        Constant Field Values

      • PROTOCOL_HTTP

        public static final java.lang.String PROTOCOL_HTTP
        Constant for the HTTP protocol string.
        See Also:
        Constant Field Values

    • Constructor Detail

      • BaseDependencyCheckMojo

        public BaseDependencyCheckMojo()

    • Method Detail

      • execute

        public void execute()
             throws org.apache.maven.plugin.MojoExecutionException,
                    org.apache.maven.plugin.MojoFailureException
        Executes dependency-check.
        Specified by:
        execute in interface org.apache.maven.plugin.Mojo
        Throws:
        org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception executing the mojo
        org.apache.maven.plugin.MojoFailureException - thrown if dependency-check failed the build

      • isGeneratingSite

        protected boolean isGeneratingSite()
        Returns true if the Maven site is being generated.
        Returns:
        true if the Maven site is being generated

      • getConnectionString

        protected java.lang.String getConnectionString()
        Returns the connection string.
        Returns:
        the connection string

      • isFailOnError

        protected boolean isFailOnError()
        Returns if the mojo should fail the build if an exception occurs.
        Returns:
        whether or not the mojo should fail the build

      • generate

        public void generate​(org.apache.maven.doxia.sink.Sink sink,
                     java.util.Locale locale)
              throws org.apache.maven.reporting.MavenReportException
        Generates the Dependency-Check Site Report.
        Specified by:
        generate in interface org.apache.maven.reporting.MavenReport
        Parameters:
        sink - the sink to write the report to
        locale - the locale to use when generating the report
        Throws:
        org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

      • getCorrectOutputDirectory

        protected java.io.File getCorrectOutputDirectory()
                                          throws org.apache.maven.plugin.MojoExecutionException
        Returns the correct output directory depending on if a site is being executed or not.
        Returns:
        the directory to write the report(s)
        Throws:
        org.apache.maven.plugin.MojoExecutionException - thrown if there is an error loading the file path

      • getCorrectOutputDirectory

        protected java.io.File getCorrectOutputDirectory​(org.apache.maven.project.MavenProject current)
        Returns the correct output directory depending on if a site is being executed or not.
        Parameters:
        current - the Maven project to get the output directory from
        Returns:
        the directory to write the report(s)

      • scanArtifacts

        protected ExceptionCollection scanArtifacts​(org.apache.maven.project.MavenProject project,
                                            Engine engine)
        Scans the project's artifacts and adds them to the engine's dependency list.
        Parameters:
        project - the project to scan the dependencies of
        engine - the engine to use to scan the dependencies
        Returns:
        a collection of exceptions that may have occurred while resolving and scanning the dependencies

      • scanArtifacts

        protected ExceptionCollection scanArtifacts​(org.apache.maven.project.MavenProject project,
                                            Engine engine,
                                            boolean aggregate)
        Scans the project's artifacts and adds them to the engine's dependency list.
        Parameters:
        project - the project to scan the dependencies of
        engine - the engine to use to scan the dependencies
        aggregate - whether the scan is part of an aggregate build
        Returns:
        a collection of exceptions that may have occurred while resolving and scanning the dependencies

      • scanPlugins

        protected ExceptionCollection scanPlugins​(org.apache.maven.project.MavenProject project,
                                          Engine engine,
                                          ExceptionCollection exCollection)
        Scans the project's artifacts for plugin-dependencies and adds them to the engine's dependency list.
        Parameters:
        project - the project to scan the plugin-dependencies of
        engine - the engine to use to scan the plugin-dependencies
        exCollection - the collection of exceptions that have previously occurred
        Returns:
        a collection of exceptions that may have occurred while resolving and scanning the plugins and their dependencies

      • resolveArtifactDependencies

        protected java.util.Set<org.apache.maven.artifact.Artifact> resolveArtifactDependencies​(org.apache.maven.shared.transfer.dependencies.DependableCoordinate artifact,
                                                                                        org.apache.maven.project.MavenProject project)
                                                                                 throws org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException
        Throws:
        org.apache.maven.shared.transfer.dependencies.resolve.DependencyResolverException

      • createProjectReferenceName

        protected java.lang.String createProjectReferenceName​(org.apache.maven.project.MavenProject project,
                                                      org.apache.maven.shared.dependency.graph.DependencyNode dependencyNode)
        Parameters:
        project - the MavenProject
        dependencyNode - the DependencyNode
        Returns:
        the name to be used when creating a project reference in a Dependency. The behavior of this method returns project.getName() + ":" + dependencyNode.getArtifact().getScope().

      • newResolveArtifactProjectBuildingRequest

        public org.apache.maven.project.ProjectBuildingRequest newResolveArtifactProjectBuildingRequest​(org.apache.maven.project.MavenProject project,
                                                                                                java.util.List<org.apache.maven.artifact.repository.ArtifactRepository> repos)
        Parameters:
        project - The target project to create a building request for.
        repos - the artifact repositories to use.
        Returns:
        Returns a new ProjectBuildingRequest populated from the current session and the target project remote repositories, used to resolve artifacts.

      • runCheck

        protected void runCheck()
                 throws org.apache.maven.plugin.MojoExecutionException,
                        org.apache.maven.plugin.MojoFailureException
        Executes the dependency-check scan and generates the necessary report.
        Throws:
        org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception running the scan
        org.apache.maven.plugin.MojoFailureException - thrown if dependency-check is configured to fail the build

      • scanDependencies

        protected abstract ExceptionCollection scanDependencies​(Engine engine)
                                                 throws org.apache.maven.plugin.MojoExecutionException
        Scans the dependencies of the projects.
        Parameters:
        engine - the engine used to perform the scanning
        Returns:
        a collection of exceptions
        Throws:
        org.apache.maven.plugin.MojoExecutionException - thrown if a fatal exception occurs

      • scanPlugins

        protected abstract ExceptionCollection scanPlugins​(Engine engine,
                                                   ExceptionCollection exCol)
                                            throws org.apache.maven.plugin.MojoExecutionException
        Scans the plugins of the projects.
        Parameters:
        engine - the engine used to perform the scanning
        exCol - the collection of any exceptions that have previously been captured.
        Returns:
        a collection of exceptions
        Throws:
        org.apache.maven.plugin.MojoExecutionException - thrown if a fatal exception occurs

      • getReportOutputDirectory

        public java.io.File getReportOutputDirectory()
        Returns the report output directory.
        Specified by:
        getReportOutputDirectory in interface org.apache.maven.reporting.MavenReport
        Returns:
        the report output directory

      • setReportOutputDirectory

        public void setReportOutputDirectory​(java.io.File directory)
        Sets the Reporting output directory.
        Specified by:
        setReportOutputDirectory in interface org.apache.maven.reporting.MavenReport
        Parameters:
        directory - the output directory

      • getOutputDirectory

        public java.io.File getOutputDirectory()
        Returns the output directory.
        Returns:
        the output directory

      • isExternalReport

        public final boolean isExternalReport()
        Returns whether this is an external report. This method always returns true.
        Specified by:
        isExternalReport in interface org.apache.maven.reporting.MavenReport
        Returns:
        true

      • getOutputName

        public java.lang.String getOutputName()
        Returns the output name.
        Specified by:
        getOutputName in interface org.apache.maven.reporting.MavenReport
        Returns:
        the output name

      • getCategoryName

        public java.lang.String getCategoryName()
        Returns the category name.
        Specified by:
        getCategoryName in interface org.apache.maven.reporting.MavenReport
        Returns:
        the category name

      • initializeEngine

        protected Engine initializeEngine()
                           throws DatabaseException,
                                  org.apache.maven.plugin.MojoExecutionException,
                                  org.apache.maven.plugin.MojoFailureException
        Initializes a new Engine that can be used for scanning. This method should only be called in a try-with-resources to ensure that the engine is properly closed.
        Returns:
        a newly instantiated Engine
        Throws:
        DatabaseException - thrown if there is a database exception
        org.apache.maven.plugin.MojoExecutionException - on configuration errors when failOnError is true
        org.apache.maven.plugin.MojoFailureException - on configuration errors when failOnError is false

      • populateSettings

        protected void populateSettings()
                         throws org.apache.maven.plugin.MojoFailureException,
                                org.apache.maven.plugin.MojoExecutionException
        Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties required to change the proxy URL, port, and connection timeout.
        Throws:
        org.apache.maven.plugin.MojoFailureException
        org.apache.maven.plugin.MojoExecutionException

      • getProject

        protected org.apache.maven.project.MavenProject getProject()
        Returns a reference to the current project. This method is used instead of auto-binding the project via component annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the binding).
        Returns:
        returns a reference to the current project

      • getReactorProjects

        protected java.util.List<org.apache.maven.project.MavenProject> getReactorProjects()
        Returns the list of Maven Projects in this build.
        Returns:
        the list of Maven Projects in this build

      • getExcludes

        public java.util.List<java.lang.String> getExcludes()
        Returns the list of excluded artifacts based on either artifact id or group id and artifact id.
        Returns:
        a list of artifact to exclude

      • getArtifactScopeExcluded

        protected Filter<java.lang.String> getArtifactScopeExcluded()
        Returns the artifact scope excluded filter.
        Returns:
        the artifact scope excluded filter

      • getSettings

        protected Settings getSettings()
        Returns the configured settings.
        Returns:
        the configured settings

      • checkForFailure

        protected void checkForFailure​(Dependency[] dependencies)
                        throws org.apache.maven.plugin.MojoFailureException
        Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
        Parameters:
        dependencies - the list of dependency objects
        Throws:
        org.apache.maven.plugin.MojoFailureException - thrown if a CVSS score is found that is higher than the threshold set

      • showSummary

        protected void showSummary​(org.apache.maven.project.MavenProject mp,
                           Dependency[] dependencies)
        Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
        Parameters:
        mp - the Maven project for which the summary is shown
        dependencies - a list of dependency objects